Downloads |
Table Of Contents
NAT Support for IPsec ESP—Phase II
Information About NAT Support for IPsec ESP
Benefits of NAT Support for IPsec ESP
How to Configure IPsec ESP Through NAT
Enabling SPI Matching on the NAT Device
Enabling SPI Matching on the Endpoints
NAT Support for IPsec ESP—Phase II
The NAT Support for IPsec ESP—Phase II feature allows multiple concurrent IP Security (IPsec) Encapsulating Security Payload (ESP) tunnels or connections through a Cisco IOS Network Address Translation (NAT) device configured in overload or Port Address Translation (PAT) mode. IPsec wrapper techniques used with the User Datagram Protocol (UDP) are not used with ESP tunnels.
Note
This feature can only be used if both VPN endpoints are Cisco devices running Cisco IOS release 12.2(15)T or later.
Feature Specifications for the NAT Support for IPsec ESP—Phase II Feature
12.2(15)T
This feature was introduced.
For supported platforms in Cisco IOS Release 12.2(15)T, consult Cisco Feature Navigator.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
Information About NAT Support for IPsec ESP
Before you configure IPsec ESP through NAT, you should understand the following concepts:
•
Benefits of NAT Support for IPsec ESP
Normally ESP entries in the translation table will be delayed from being transmitted until a reply is received from the destination. With predictable security parameter indexes (SPIs) and SPI matching, the delay can be eliminated since the SPI entries are matched. Some third-party concentrators require both the source and incoming ports to use port 500. Use of the preserve-port keyword with the ip nat service command will preserve the ports rather than changing one, which is required with regular NAT.
IPsec
IPsec is a set of extensions to the IP protocol family in a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the Internet Engineering Task Force (IETF), IPsec ensures confidentiality, integrity, and authenticity of data communications across the public network and provides cryptographic security services.
Secure tunnels between two peers, such as two routers, are provided and decisions are made as to which packets are considered sensitive and should be sent through these secure tunnels, and which parameters should be used to protect these sensitive packets by specifying characteristics of these tunnels. When the IPsec peer receives a sensitive packet, it sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.
IPsec using ESP can pass through a router running NAT without any specific support from it as long as Network Address Port Translation (NAPT) or address overloading are not configured.
There are a number of factors to consider when attempting an IPsec Virtual Private Network (VPN) connection that traverses a NAPT device that represents multiple private internal IP addresses as a single public external IP address. Such factors include the capabilities of the VPN server and client, the capabilities of the NAPT device, and whether more than one simultaneous connection is attempted across the NAPT device.
There are two possible methods for configuring IPsec on a router with NAPT:
•
•
Note
SPI Matching
SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries will immediately be placed in the translation table for endpoints matching the configured access list. This is available only for endpoints that choose SPIs according to the predictive algorithm implemented in Cisco IOS Release 12.2(15)T.
How to Configure IPsec ESP Through NAT
This section contains the following procedures:
Enabling Preserve Port
The configuration in this task is used for IPsec traffic using port 500 for the source and incoming ports. This task enables port 500 to be preserved for both source and incoming ports.
Note
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Prerequisites
•
•
Enabling SPI Matching
This section contains the following procedures:
•
•
Enabling SPI Matching on the NAT Device
This task enables SPI matching to be configured on the NAT device.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Enabling SPI Matching on the Endpoints
This task enables SPI matching on both endpoints.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Additional References
For additional information related to NAT Support for IPsec ESP—Phase II features, see the following sections:
•
•
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
http://tools.cisco.com/ITDIT/MIBS/servlet/index
If Cisco MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco MIBs page at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:
RFCs
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.
—
Technical Assistance
Command Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 T command reference publications.
Modified Commands
•
•
•
•
clear ip nat translation
To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation command in privileged EXEC mode.
clear ip nat translation {* | [inside global-ip global-port local-ip local-port] | [outside local-ip global-ip]}
clear ip nat translation [esp | tcp | udp] [inside global-ip global-port local-ip local-port] | [outside local-ip global-ip]
Syntax Description
Command Modes
Priviliged EXEC (#)
Command History
Usage Guidelines
Use this command to clear entries from the translation table before they time out.
Examples
The following example shows the NAT entries before and after the User Datagram Protocol (UDP) entry is cleared:
Router# show ip nat translationsPro Inside global Inside local Outside local Outside globaludp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23Router# clear ip nat translation udp inside 171.69.233.209 1220 192.168.1.95 1220171.69.2.132 53 171.69.2.132 53Router# show ip nat translationsPro Inside global Inside local Outside local Outside globaltcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23Related Commands
crypto ipsec nat-transparency
To enable security parameter index (SPI) matching or User Datagram Protocol (UDP) encapsulation between two Virtual Private Network (VPN) devices, use the crypto ipsec nat-transparency command on both devices in global configuration mode. To disable both SPI matching and UDP encapsulation, use the no form of this command with each keyword.
crypto ipsec nat-transparency {spi-matching | udp-encaps}
no crypto ipsec nat-transparency {spi-matching | udp-encaps}
Syntax Description
spi-matching
Enables SPI matching on both endpoints.
udp-encaps
Enables UDP encapsulation on both endpoints.
Defaults
When this command is entered, UDP encapsulation is enabled by default.
Command Modes
Global configuration (config)
Command History
12.2(13)T
This command was introduced.
12.2(15)T
The spi-matching keyword was added.
Usage Guidelines
You can use this command to resolve issues that arise when Network Address Translation (NAT) is configured in an IP Security (IPsec)-aware network. This command has two mutually exclusive options:
•
•
When you enter the crypto ipsec nat-transparency command, UDP encapsulation is configured unless you either specifically disable it or configure SPI matching. You can disable both options, but doing so might cause problems if the device you are configuring uses NAT and is part of a VPN.
To disable SPI matching, configure UDP encapsulation or use the no form of this command with the keyword spi-matching. To disable UDP encapsulation, configure SPI matching or use the no form of this command with the keyword udp-encaps. To disable both SPI matching and UDP encapsulation, first disable UDP encapsulation, and then disable SPI matching. If you disable both options, the show running-config command displays no crypto ipsec nat-transparency udp-encaps.
Examples
The following example shows how to enable SPI matching on the endpoint routers:
crypto ipsec nat-transparency spi-matchingRelated Commands
ip nat service
To specify a port other than the default port, use the ip nat service command in global configuration mode. To disable the port, use the no form of this command.
ip nat service {H225 | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | ras | sip {tcp | udp} port port-number | skinny tcp port port-number}
no ip nat service {H225 | list {access-list-number | access-list-name} {ESP spi-match | IKE preserve-port | ftp tcp port port-number} | ras | sip {tcp | udp} port port-number | skinny tcp port port-number}
Syntax Description
Defaults
Disabled
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A host with an FTP server using a port other than the default port can have an FTP client using the default FTP control port. When a port other than the default port is configured for an FTP server, Network Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server. If an FTP server uses the default port and a port other than the default port, both ports need to be configured using the ip nat service command.
NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the CallManager uses a port other than the default port, that port needs to be configured using the ip nat service command.
Examples
The following example shows how to configure the nonstandard port 2021:
ip nat service list 10 ftp tcp port 2021access-list 10 permit 10.1.1.1The following example shows how to configure the standard FTP port 21 and the nonstandard port 2021:
ip nat service list 10 ftp tcp port 21ip nat service list 10 ftp tcp port 2021access-list 10 permit 10.1.1.1The following example shows how to configure the 20002 port of the CallManager:
ip nat service skinny tcp port 20002The following example shows how to configure TCP port 500 of the third-party concentrator:
ip nat service list 10 IKE preserve-portThe following example shows how to configure SPI matching on the endpoint routers:
ip nat service list 10 ESP spi-matchRelated Commands
show ip nat translations
To display active Network Address Translation (NAT) translations, use the show ip nat translations command in priviliged EXEC mode.
show ip nat translations [esp] [icmp] [pptp] [tcp] [udp] [verbose] [vrf vrf-name]
Syntax Description
Command Modes
Priviliged EXEC (#)
Command History
11.2
This command was introduced.
12.2(13)T
The vrf vrf-name keyword and argument combination was added.
12.2(15)T
The esp keyword was added.
Examples
The following is sample output from the show ip nat translations command. Without overloading, two inside hosts are exchanging packets with some number of outside hosts.
Router# show ip nat translationsPro Inside global Inside local Outside local Outside global--- 171.69.233.209 192.168.1.95 --- ------ 171.69.233.210 192.168.1.89 --- --With overloading, a translation for a Domain Name Server (DNS) transaction is still active, and translations for two Telnet sessions (from two different hosts) are also active. Note that two different inside hosts appear on the outside with a single IP address.
Router# show ip nat translationsPro Inside global Inside local Outside local Outside globaludp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23The following is sample output that includes the verbose keyword:
Router# show ip nat translations verbosePro Inside global Inside local Outside local Outside globaludp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53create 00:00:02, use 00:00:00, flags: extendedtcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23create 00:01:13, use 00:00:50, flags: extendedtcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23create 00:00:02, use 00:00:00, flags: extendedThe following is sample output that includes the vrf keyword:
Router# show ip nat translations vrf redPro Inside global Inside local Outside local Outside global--- 2.2.2.1 192.168.121.113 --- ------ 2.2.2.2 192.168.122.49 --- ------ 2.2.2.11 192.168.11.1 --- ------ 2.2.2.12 192.168.11.3 --- ------ 2.2.2.13 140.48.5.20 --- ---Pro Inside global Inside local Outside local Outside global--- 2.2.2.3 192.168.121.113 --- ------ 2.2.2.4 192.168.22.49 --- ---The following is sample output that includes the esp keyword:Router# show ip nat translations espPro Inside global Inside local Outside local Outside globalesp 192.168.22.40:0 192.168.122.20:0 192.168.22.20:0 192.168.22.20:28726CD9esp 192.168.22.40:0 192.168.122.20:2E59EEF5 192.168.22.20:0 192.168.22.20:0The following is sample output that includes the esp and verbose keywords:
Router# show ip nat translation esp verbosePro Inside global Inside local Outside local Outside globalesp 192.168.22.40:0 192.168.122.20:0 192.168.22.20:0 192.168.22.20:28726CD9create 00:00:00, use 00:00:00,flags:extended, 0x100000, use_count:1, entry-id:192, lc_entries:0esp 192.168.22.40:0 192.168.122.20:2E59EEF5 192.168.22.20:0 192.168.22.20:0create 00:00:00, use 00:00:00, left 00:04:59, Map-Id(In):20,flags:extended, use_count:0, entry-id:191, lc_entries:0Table 1 describes the significant fields shown in the display.
Related Commands
